c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 766982] Re: If you associate 2 or more groups to an ir.rule, rules are not correctly applied

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Stefan Rijnhart \(Therp\)" <766982@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2011 13:35:59 -0000
Reply-to: Bug 766982 <766982@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Lorenzo,

This is a matter of semantics. If a rule is regarded as a method to
*restrict* access rights, then you have a good point. If on the other
hand, a rule is regarded as *granting* access right, then the current
implementation is correct: in case of two different rules granting
access to two sets of records to the same group, members of this group
should indeed have access to the union of the two sets.

The documentation is in fact unclear on this semantic aspect, but with
respect to the current implementation remark no. 2 on the form itself is
simply wrong. It should say that group-specific rules are combined
together with a logical OR operator instead.

For now, I would prefer for the documentation to be adapted to the code
and not the other way around. But you can also ask the usability experts
for their opinion on the subject: https://launchpad.net/~openerp-expert-
ergonomy

Cheers,
Stefan.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/766982

Title:
  If you associate 2 or more groups to an ir.rule, rules are not
  correctly applied

Status in OpenERP Server:
  New

Bug description:
  Steps:
  1- create new db with only 'base' module
  2- create 2 groups: 'group1' and 'group2'
  3- create 2 rules on res.partner:
      - 'rule1' with domain: [('name','=','rule1')] and groups: 'group1'
      - 'rule2' with domain: [('ref','=','rule2')] and groups: 'group1' and 'group2'
  4- create user 'test' and associate to 'group1'
  5- create 2 partners:
      - with name: 'rule1' and ref: 'rule2'
      - with name: 'test' and ref: 'rule2'
  6- login with user 'test'
  7- you'll see both of partners

  This is wrong because since the user 'test' belongs to 'group1' and this group contains 2 rules, these rules must be combined with AND operator. So, user 'test' should see first partner only.
  This happens because second rule and both 2 rules are combined with OR:
  ((rule1 AND rule2) OR rule2)
  I suppose the problem to be connected with line 117 of ir_rule.py: http://bazaar.launchpad.net/~openerp/openobject-server/6.0/view/3404/bin/addons/base/ir/ir_rule.py#L115
  Instead of adding every group of the rule, you should check whether the user belongs to the group that will be added

References

[Bug 766982] [NEW] If you associate 2 or more groups to an ir.rule, rules are not correctly applied
From: Lorenzo Battistini - agilebg.com, 2011-04-20